Locky now using Embedded RSA Key instead of contacting Command & Control Servers

According to security researcher Timothy Davies, a new version of the Locky Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key. This key allows Locky to encrypt a victim’s computer without having to contact their Command & Control server. As many system administrators block Command & Control servers on their firewalls, by using an embedded RSA key, Locky can encrypt a computer regardless of what has been blocked at the edge.

Embedded RSA Key

The good news is that this version is having distribution problems as there attachments are not being named properly. For example, a current campaign is using ZIP attachments that contain JS files. When executed, these files are giving an error as seen below.

Scripting Error

This error is occurring because the attachments are actually HTA files and not JS files. Once the file is renamed to HTA, it works properly.

Other than that, this version continues to append the .ZEPTO extension to encrypted files and create ransom notes that are named %Desktop%\[number]_HELP_instructions.html, %Desktop%\_HELP_instructions.html, and %Desktop%\_HELP_instructions.bmp.